Security Myths Exposed: Part 2

Debunking myths of any kind is always an enjoyable exercise. People want to
know the real deal. Back in July, I wrote about some of the more common security
myths -- security practices that are widely considered to be valid, even though
they're wrong. It's time to look at a few more, give them a thorough examination
and debunk them once and for all. Along the way, I'll point out what you can
do to avoid falling for these myths. (To read more about the first two myths
-- SSL Is Secure and Complex Passwords Enhance Security -- see "Security
Myths Exposed," July 2006.)

Myth No. 3: Power Users Are Not Administrators
When Microsoft created the Power Users group, it did so to give administrators
the flexibility to let certain users perform tasks that require elevated privileges
like computer maintenance. Power Users can indeed do many things, even without
having full-fledged administrative access rights.

However, this group is often used as a crutch to let users run badly written
applications. If your accounting program insists on writing its data files to
the Program Files directory, then your accountant needs permission to do so,
as the program runs with his credentials. You would never give full administrative
privileges to an accountant, but making him a Power User doesn't seem all that
bad and it helps get the job done. It does, but it also creates a serious security
risk.

The problem with Power Users is that their assigned level of rights and permissions
also lets them elevate their privileges to become full administrators. So a
Power User is simply an administrator who has not yet elevated him or herself.

There are many ways for Power Users to elevate their privileges. Among the
easiest is to replace a legitimate program in the Program Files directory with
a malicious one that will elevate privileges. The next time an administrator
or the system account starts, this program runs and will elevate the user. Even
worse, this program may not have been placed there by the Power User. Other
malicious software may have been responsible.

It would be easy to blame Microsoft for making the Power Users group too powerful.
However, the reason that this group exists is to make badly behaved programs
run for non-administrative users. The real culprits are software developers
who are too lazy to write their programs so they can be run by a non-privileged
user.

As frustrating as this may be, at least things appear to be getting better.
Most software vendors have finally learned how to write programs that don't
make you have to resort to the Power Users group. Vista also makes it easier
to let regular users run programs with potentially risky behaviors -- like saving
data in the Program Files directory, to use the earlier example.

In the meantime, the best you can do is to investigate the rights or permissions
that prevent problematic programs from running in the security context of a
regular user. Then assign just those to your users. If there's no alternative
to adding users to the Power Users group, at least be aware of the risks of
doing so, and plan on replacing programs that regular users can't run.

Myth No. 4: You Don't Need to Worry About Printers
I was recently looking into buying a new printer. When I searched for information
about the model highest on my list, I found a number of security advisories.
You may wonder how there could be a printer security problem. After all, printers
don't store confidential data -- they just spit out paper in return for a steady
diet of toner or ink.

A networked printer can do a lot more, though. The printer I was considering
had several vulnerabilities in its built-in FTP service. An attacker could connect
to this service and then redirect the connection to other servers on the network.
It turns out that some hackers love to do this type of redirection to escape
detection. After all, you'd never expect that your database server would get
attacked by a printer. As a result, your intrusion detection system may not
sound an alarm if this happens.

Also, networked printers are often password-protected to ensure that only authorized
personnel can change configuration settings. It's not uncommon to see organizations
using the same password for all their printers. In many cases, this is the same
password used for other network devices as well. If an attacker can find this
password, the next step is to try using the same password to reconfigure network
switches to further penetrate the network. As a result, you should include printers
and other network devices in your organization's security plan, even though
they may not be obvious candidates.

Myth No. 5: You Can Completely Eliminate Spam
Two years ago, Bill Gates told the World Economic Forum in Davos, Switzerland,
that spam would essentially be eliminated by 2006. The last time I checked my
mail server, though, more than 99 percent of incoming connections were due to
spam. It appears Bill's prediction was just a bit off.

Gates isn't the only one who has ever made an inaccurate assessment about spam.
Not that long ago, Bayesian filtering was supposed to stop all spam. This type
of filtering detects spam by learning patterns from the mail that you normally
send and receive, and adjusting its decision-making to these patterns.

It didn't take spammers long to fine-tune their methods to defeat such filters.
Even worse, one method spammers now use to get around better filtering is to
simply increase the number of messages they send. After all, a spammer's goal
is to get just a small number of responses. Doubling the number of e-mails sent
essentially doubles the number of messages that arrive in a valid mailbox.

Greylisting is the latest craze in spam filtering. Mail servers already use
blacklists to block all e-mail from certain addresses and whitelists to always
accept messages from other addresses. When a server receives an incoming connection
from an unknown address, a greylist will generate an error message that says
that the server is unavailable and to please try again later. The message is
only accepted when the remote server sends it a second time.

The logic behind this method is that most legitimate mail servers will automatically
try again. Spammers, however, normally use a hit-and-run approach. They send
messages once, but won't re-send them if they don't go through the first time.

Some organizations have achieved remarkably high spam-blockage success rates
using greylisting. However, I'm afraid this success won't last for long. Most
new spam blocking methods work well for a while. Once they're widely adopted,
though, spammers notice an increasing number of their e-mails being blocked
and quickly come up with other methods to get around the spam filters.

I expect the same thing will happen with greylisting. Even if greylisting remains
effective, many organizations find the delay it introduces by asking the remote
server to send messages later is unacceptable, as it can result in delays of
an hour or more for incoming e-mail.

There's only one thing that will ultimately and completely stop spam, and that
is when spamming stops being profitable. People have to stop buying items offered
in spam messages. As long as there are people willing to buy fake designer watches,
graduate degrees from obscure colleges that may or may not exist and V|@gr@,
there will be enough incentive for the spammers to develop more efficient methods
to get around spam filters.

While it appears that spam may be with us forever, you can at least stop most
of it using one or more spam filters or a hosted solution. If you're using greylisting
today, enjoy it while it works. I predict that within two years, greylisting
won't be seen as a cure-all solution, but will join other spam filtering methods
as one that works well in conjunction with other methods.

If Bill Gates can be wrong, though, then so can I. If spam does completely
disappear in the near future, I wouldn't mind being wrong about that.